Poor Procedures for Discarding Old Equipment Led to Breach, Lawsuit Alleges
A $5 million lawsuit seeking class action status has been filed against Morgan Stanley, claiming the financial organization failed to properly safeguard personally identifiable information when the company discarded old computer equipment.
The suit is being brought by Morgan Stanley customer Timothy Smith in the U.S. District Court for the Southern District of New York on behalf of about 100 other customers affected by the data breach. The case is tied to incidents in 2016 and 2019 when the firm decommissioned several pieces of computer equipment without properly scrubbing the personal data.
Morgan Stanley confirmed these incidents in data breach notification letters sent to the California attorney general and other states’ attorneys general. The letter notes the data exposed may have included account names and numbers (at Morgan Stanley and any linked bank accounts), Social Security number, passport number, contact information, date of birth, asset value and holdings data. It says it offered victims two years of prepaid credit monitoring services.
How the Breach Occurred
“In 2016, Morgan Stanley closed two data centers and decommissioned the computer equipment in both locations. As is customary, we contracted with a vendor to remove the data from the devices,” the letter notes. “We subsequently learned that certain devices believed to have been wiped of all information still contained some unencrypted data.”
In a second incident in 2019, the company disconnected and replaced a computer server in a local branch office that contained information on encrypted disks. “During a recent inventory, we were unable to locate that device and a software flaw in this server could have allowed some data to be exposed,” Morgan Stanley reported.
The lawsuit claims that if criminals obtained access to the devices involved, they could use the customer data they contained to steal identities or sell it to other criminals or use it to make fraudulent purchases.
But a Morgan Stanley spokesperson tells Information Security Media Group: “We have continuously monitored the situation and have not detected any unauthorized activity related to the matter, nor access to or misuse of personal client information.”
The lawsuit alleges: “This PII was compromised due to Morgan Stanley’s negligent and/or careless acts and omissions and the failure to protect customers’ data. In addition to Morgan Stanley’s failure to prevent the data breach, the defendant failed to detect the data breach for years, and when they did discover the data breach, it took them over a year, possibly longer, to report it to the affected individuals and the states’ attorneys general.”
The lawsuit also alleges that Morgan Stanley:
- Did not use reasonable security procedures and practices appropriate to the nature of the sensitive, unencrypted customer information it was maintaining;
- Could have prevented the data breach by encrypting data;
- Failed to learn from a similar previous incident.